Hired to Hack: North Korean Fake IT Workers Hijack Exec Identities in ‘Contagious Interview’ Scams
Ddos 
A new report from the GitLab Threat Intelligence Team lifts the veil on the latest tradecraft utilized by North Korean threat actors, revealing a escalation in their “Contagious Interview” and fraudulent IT worker campaigns.
Rather than just breaching networks from the outside, these operatives are getting hired, gaining privileged access, and even hijacking the digital identities of company executives.
The foundation of this infiltration relies on a deceptive hiring process. According to the GitLab report, “Since at least 2022, North Korean nation-state threat actors have posed as recruiters to induce software developers to execute malicious code projects under the pretense of technical interviews”.
Once a developer runs the seemingly benign coding test, the trap springs. The report explains that these “Malicious projects execute custom malware, allowing threat actors to steal credentials and remotely control devices, enabling financial and identity theft and lateral movement”.
While GitLab successfully “identified and banned accounts created by North Korean threat actors used for Contagious Interview” in 2025, the intelligence gathered during these investigations exposed a much deeper, more insidious strategy at play.
The most alarming discovery in the report details an active, multi-layered infiltration of an American business.
The threat actors’ internal notes revealed that they successfully “gained employment with at least one small U.S.-based technology agency in mid-2025”. From this initial foothold, the operative was “subsequently contracted to five other organizations,” massively expanding the blast radius of the compromise.
The level of access obtained was critical. The operative “gained significant access to the agency, including privileged access to web hosts used for client projects and potential access to an executive’s Slack account”.
However, the North Korean actors didn’t just steal data; they stole the executive’s persona. Investigators found that the threat actor “stored copies of the executive’s resume and message logs indicating that the threat actor may represent themselves as the executive in communications with external parties”.
Historically, fraudulent IT worker schemes relied on a “burn and churn” methodology, spamming job boards with thousands of fake applicants. This incident, however, signals a dangerous strategic pivot.
“This incident is an example of a North Korean fake IT worker cultivating a small number of detailed personas,” the GitLab Threat Intelligence Team observes. “This approach is distinct from other operators that focus on a higher volume of disposable personas”.
By investing time in building deeply credible, detailed digital lives, these operatives can bypass standard HR vetting processes and secure roles with higher security clearances and broader network access.
As remote work remains a staple of the global tech industry, the GitLab intelligence serves as a critical warning. Organizations must urgently adapt their hiring and identity verification processes to defend against an adversary that is no longer just knocking on the firewall, but actively interviewing for the job.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
